Abstract
Virtual machine introspection (VMI) can be defined as the external monitoring of virtual machines. In previous work, the importance of this technique for malware analysis and digital forensics has become apparent. However, in these domains the problem occurs that some information is not available in the main memory at all times. Specifically, files contained on non-volatile memory are typically not accessible for VMI applications. In this paper, we present a file extraction architecture that uses a dynamically injected in-guest agent to expose the file system for VMI-based analysis. To enable the execution of this in-guest agent, we also introduce a process injection mechanism for ELF binaries through the main memory using VMI.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
This is achieved by waiting in the VMI application until the child’s top-level paging structure differs from the parent’s.
- 2.
Under Linux operating systems, the term anonymous file refers to a file that lives solely in memory. It is not present on any mounted file system and released once it is no longer referenced [12]. The memfd_create system call was introduced in version 3.17. For older Linux versions or BSD variants, it is possible to use shm_open instead.
- 3.
LSTAR is a model-specific register that holds the targeted instruction pointer when executing a system call in long mode.
References
Armbruster, M.: Device Specification for Inter-VM shared memory device (2016). https://fossies.org/linux/qemu/docs/specs/ivshmem-spec.txt. Accessed 27 July 2020
Bahram, S., et al.: DKSM: subverting Virtual Machine Introspection for Fun and Profit. In: 29th IEEE Symposium on Reliable Distributed Systems, pp. 82–91. IEEE (2010)
Brengel, M., Backes, M., Rossow, C.: Detecting hardware-assisted virtualization. In: Caballero, J., Zurutuza, U., RodrÃguez, R.J. (eds.) DIMVA 2016. LNCS, vol. 9721, pp. 207–227. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-40667-1_11
Chudnovsky, D., Chudnovsky, G.: Approximations and complex multiplication according to Ramanujan. In: Pi: A Source Book, pp. 596–622. Springer, New York (2004). https://doi.org/10.1007/978-1-4757-4217-6_63
Dolan-Gavitt, B., Leek, T., Zhivich, M., Giffin, J., Lee, W.: Virtuoso: narrowing the semantic gap in virtual machine introspection. In: IEEE Symposium on Security and Privacy, pp. 297–312. IEEE (2011)
Fu, Y., Zeng, J., Lin, Z.: HYPERSHELL: a practical hypervisor layer guest OS shell for automated in-VM management. In: Proceedings of the 2014 USENIX Annual Technical Conference, pp. 85–96. USENIX Association, USA (2014)
Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: Proceedings of the Network and Distributed System Security Symposium. The Internet Society (2003)
Gorman, M.: Understanding the Linux Virtual Memory Manager, vol. 352, 1st edn., pp. 33–38. Prentice Hall, Prentice (2004)
Gu, Z., Deng, Z., Xu, D., Jiang, X.: Process implanting: a new active introspection framework for virtualization. In: 2011 IEEE 30th International Symposium on Reliable Distributed Systems, pp. 147–156. IEEE (2011)
Hale, K.C., Xia, L., Dinda, P.A.: Shifting GEARS to enable guest-context virtual services. In: Proceedings of the 9th International Conference on Autonomic Computing, New York, NY, USA, pp. 23–32. Association for Computing Machinery (2012)
Hebbal, Y., Laniepce, S., Menaud, J.: Virtual machine introspection: techniques and applications. In: 10th International Conference on Availability, Reliability and Security, pp. 676–685. IEEE (2015)
Herrmann, D.: memfd\_create - create an anonymous file. In Linux Programmer’s Manual (2020). http://man7.org/linux/man-pages/man2/memfd_create.2.html. Accessed 09 Feb 2020
Hussein, N.: Randomizing structure layout (2017). https://lwn.net/Articles/722293/ (2017). Accessed 01 Jan 2020
Intel Corporation: Intel\(^{\textregistered }\) 64 and IA-32 Architectures Software Developer’s Manual, vol. 3D, pp. C1–C3, September 2016
Jain, B., Baig, M.B., Zhang, D., Porter, D.E., Sion, R.: SoK: introspections on trust and the semantic gap. In: IEEE Symposium on Security and Privacy, pp. 605–620. IEEE (2014)
Jones, R.: libguestfs - tools for accessing and modifying virtual machine disk images (2009). http://libguestfs.org/. Accessed 27 July 2020
Maartmann-Moe, C., Thorkildsen, S.E., Årnes, A.: The persistence of memory: forensic identification and extraction of cryptographic keys. In: Digital Investigation, vol. 6, pp. S132–S140. Elsevier (2009)
McNamara, R.: Linux based inter-process code injection without ptrace(2) (2017). https://blog.gdssecurity.com/labs/2017/9/5/linux-based-inter-process-code-injection-without-ptrace2.html. Accessed 01 Jan 2020
Mohebbi, H., Kashefi, O., Sharifi, M.: ZIVM: a zero-copy inter-VM communication mechanism for cloud computing. In: Computer and Information Science, vol. 4, pp. 18–27. Canadian Center of Science and Education (2011)
Molnár, I.: This is the CFS scheduler (2007). http://people.redhat.com/mingo/cfs-scheduler/sched-design-CFS.txt. Accessed 19 Jan 2020
Morbitzer, M., Huber, M., Horsch, J.: Extracting secrets from encrypted virtual machines. In: Proceedings of the Ninth ACM Conference on Data and Application Security and Privacy, CODASPY 2019, pp. 221–230. Association for Computing Machinery (2019)
Morbitzer, M., Huber, M., Horsch, J., Wessel, S.: SEVered: subverting AMD’s virtual machine encryption. In: Proceedings of the 11th European Workshop on Systems Security, EuroSec@EuroSys, pp. 1–6. Association for Computing Machinery (2018)
Payne, B.D.: Simplifying virtual machine introspection using libvmi. Technical report, Sandia National Laboratories (2012)
Pfoh, J., Schneider, C.A., Eckert, C.: A formal model for virtual machine introspection. In: VMSec 2009. Association for Computing Machinery (2009)
Rekall: Rekall memory forensics framework (2012). https://github.com/google/rekall (2012). Accessed 07 Oct 2019
Tanenbaum, A.S.: Modern Operating Systems, pp. 74–75. Prentice Hall, Prentice (2004)
Taubmann, B., Rakotondravony, N., Reiser, H.P.: Cloudphylactor: harnessing mandatory access control for virtual machine introspection in cloud data centers. In: IEEE Trustcom/BigDataSE/ISPA, pp. 957–964. IEEE (2016)
Taubmann, B., Rakotondravony, N., Reiser, H.P.: Libvmtrace: Tracing virtual machines. Winter School on Operating Systems (WSOS) (2016). WiP abstract
Tuzel, T., Bridgman, M., Zepf, J., Lengyel, T.K., Temkin, K.J.: Who watches the watcher? Detecting hypervisor introspection from unprivileged guests. In: Digital Investigation, vol. 26, pp. S98–S106. Elsevier (2018)
Volatility Foundation: Volatility memory forensics framework (2009). https://github.com/volatilityfoundation/volatility. Accessed 07 Oct 2019
Acknowledgments
This work has been funded by the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) – 361891819 (ARADIA).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Dangl, T., Taubmann, B., Reiser, H.P. (2021). Agent-Based File Extraction Using Virtual Machine Introspection. In: Asplund, M., Nadjm-Tehrani, S. (eds) Secure IT Systems. NordSec 2020. Lecture Notes in Computer Science(), vol 12556. Springer, Cham. https://doi.org/10.1007/978-3-030-70852-8_11
Download citation
DOI: https://doi.org/10.1007/978-3-030-70852-8_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-70851-1
Online ISBN: 978-3-030-70852-8
eBook Packages: Computer ScienceComputer Science (R0)